Shibboleth: The Journey Begins

ShibboWhat?

It is quite comical to listen to the folks around me discuss this service.  I know when I first saw it come across my screen several years ago I was a little hesitant to speak it in front of others.  So true to form, I google’d it (funny how this is now a verb in popular vernacular) and learned the correct pronunciation prior to a meeting.  Some attendees slid in a ‘w’ and some were no where close so I would not have been alone in my verbal hiccup.

However, I am that person.  I hate to participate in a conversation and not be fully prepared.  So for the meeting in question I not only learned the correct way to say Shibboleth but also researched what it did, how it worked and what else was available that provided the same functions.  I came across Active Directory Federation Services 1.0 at that time and being a Microsoft shop leaned more in that direction.  That of course led us to finally adopting ADFS v2 in 2012.

The test has been with other third party vendors not quite ready to easily interoperate with ADFS.  In my limited experience it seems that if you have the ability to except SAML tokens it should work, but it stills baffles a few developers, therefore in response I decided to put up a Shibboleth IDP (identity provider) server.  As this was quite the experience, I thought I would share and hopefully save someone else from needless hours of aggravation.

First I went to Internet2’s web source and reviewed the install documentation.  Two ways, ok not uncommon.  I then did a search for forums where others went through the process to see what they did.  I came across a few more ways.  There were several web server applications to chose from and one blog even used both Tomcat and Microsoft’s IIS.  So which did I pick?  Any and all that would work on Windows 2008 R2.

I started with the blog centered around Tomcat 6 and IIS.  I could get the default IIS page on port 80 but 443 rendered nothing and yes I did bind the certificate.  I could get the Tomcat default page on 8080 but 8443 again rendered blank.  I did try this process twice using the directions provided then scrapped it.

I then decided to start over using IIS and Tomcat but using the quick installer.  Nothing worked.  Blank all the way.  Bust number two.

Next I decided to use the instructions on Internet2 and installed Tomcat first then ran the Shib installer.  Tomcat default page rendered on 8080, 8443 was blank and the Shib pages on 443 were frustratingly absent again.

Finally I just decided to run the quick installer by itself after uninstalling IIS and Tomcat.  At this point I had installed and uninstalled IIS, Shibboleth and Tomcat approximately four times.  I was very confused and could not quite figure out the issues causing all of the other trials to fail.  Low and behold, however, just running the quick installer seemed to be the trigger.  I was finally able to go to the next steps and test it out.

Using the test service provider listed in the Internet2 documentation it just worked.  I was so relieved after hours of installs and uninstalls.  I’m not usually a pusher of the quick anything, but I must say this one just worked and I would recommend this method to anyone.

Once my initial testing worked, I had those in the department try it out in different browsers.  Everything still seemed to be moving forward.  Since I have the service using the global catalog it just as easily authenticated users in other domains within our large complex forest.  The only complaint I received was the untrusted certificate.  I thought, “I can deal with that quickly”.  As it turned out, not as quickly has I initially believed.

I had to figure out exactly what a keystore was, how it really worked, how it was accessed, what formats it could be, and how to use a wildcard that is stored as a pfx file.  Remember, I work for a Microsoft based shop and had always used the management console.  This was tons of fun also.  But after about eight hours start to finish I finally had a complete Shibboleth IDP server with a third party issued wildcard certificate.  A deep breath was in order.

So today I began working on the look of the sign-on page.  I needed to make it match exactly to our ADFS authentication form.  I really have not worked much with jsp pages but CSS is CSS and luckily this was not too difficult.

So what challenges still lay ahead for me?  Making ADFS and the Shibboleth server use the same authentication method so users do not have to type domain\username in one and just their user ID in the other.  But that’s tomorrows problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s